Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
Published: 2026-04-17
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via out-of-bounds read
Action: Patch Now
AI Analysis

Impact

The vulnerability stems from the libgphoto2 camera library, specifically the ptp_unpack_Sony_DPD() routine in ptp-pack.c. In versions up to 2.5.33 the function reads a 2‑byte enumeration count without first verifying that the buffer contains two bytes. This unchecked read can expose arbitrary memory contents from the host process that handles camera communication, constituting a classic out-of-bounds read flaw.

Affected Systems

Any installation of libgphoto2 for the gphoto vendor with a version 2.5.33 or earlier is affected. Software that depends on this library and communicates with Sony cameras via the PTP_DPFF_Enumeration content will also be vulnerable. Public releases newer than 2.5.33 contain the fix and are not impacted.

Risk and Exploitability

The CVSS score of 5.2 indicates a medium severity threat. Exploitation would require an attacker to supply crafted PTP commands to the library, typically by interacting with a connected camera device or through a vulnerable camera control application. Because the flaw is an out-of-bounds read rather than a format‑string or privilege‑escalation bug, the risk of arbitrary code execution is low, but the potential to leak sensitive data is present. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting a moderate but not imminent exploitation risk. The likely attack vector is a local or device-based attack where the attacker can send compromised data to the library.

Generated by OpenCVE AI on April 18, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libgphoto2 to the latest release or apply the patch commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 to eliminate the unchecked buffer read.
  • Ensure that all dependent software references the updated library and restart services to load the patched binary.
  • If an immediate update is not feasible, restrict access to camera devices by limiting permissions to trusted users or disabling PTP features until the library can be updated.

Generated by OpenCVE AI on April 18, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gphoto
Gphoto libgphoto2
Vendors & Products Gphoto
Gphoto libgphoto2

Sat, 18 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
Title libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Gphoto Libgphoto2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:16:08.585Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40338

cve-icon Vulnrichment

Updated: 2026-04-20T16:13:42.836Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:37.810

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40338

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:40:10Z

Links: CVE-2026-40338 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:09Z

Weaknesses